A New Wave of Privacy Class Actions
Since August 2022, more than 50 lawsuits have been filed against hospital systems, alleging they track and disclose patients’ identities and online activities via third-party website analytics tools without the website visitors’ knowledge and consent. The claims asserted include those based on (a) contracts (alleged inaccurate website privacy policies or notices); (b) state privacy laws (alleged unauthorized disclosures of personal and/or health information to third parties); and (c) federal or state wiretapping laws (alleged interceptions of communications). Motion to dismiss briefing is ongoing in many of these cases and involves these issues:
- Breach of contract: Whether HIPAA-required privacy notices form a contract and plaintiffs’ failure to allege specific contract provisions allegedly breached.
- State privacy laws: Whether plaintiffs consented to the alleged tracking and plaintiffs’ failure to state facts showing a “highly offensive” intrusion.
- Breach of confidence, negligence, and breach of fiduciary duty: Whether a state already has a common law tort for the alleged unauthorized disclosure.
- State consumer protection laws: Whether the plaintiff has identified sufficient damages.
In addition to determining whether any of these arguments would be appropriate in a motion to dismiss, defendants should consider the following:
- For wiretap act claims, evaluate whether “contents” of communications are at issue, and whether the statute requires two- or one-party consent, as the latter may foreclose the occurrence of “interception.”
- Evaluate whether claims are subject to binding arbitration and/or class action waivers, which may form the basis of a successful motion to compel arbitration or a motion to strike class allegations, respectively.
If claims survive a motion to dismiss, opposing class certification becomes critical. Entities should focus on key differences in putative class members’ experiences to narrow a class (purpose for visiting website, pages visited, and browser and device settings – each impacting what information, if any, was transmitted). And remember, even though a court may certify a class, it can later decertify it.